Wordpress Exploit

Worldpress Exploit

Use Webapps exploit for the PHP platform. Heavy PHP usage threatens Wordpress sites with remote code execution | The first port of call for S&T messages This problem affects several CMS, such as Typo3 and WordPress, as well as the widely used PDF creation libraries TCPDF. Investigators have developed a proof-of-concept exploit that would allow poor players to eliminate a serious flaw in the PHP coding idiom behind several large CMS firms, among them WordPress. Secarma investigators who discovered the exploit said it enabled poor players to open millions of WordPress pages (and other web applications) for hotrolling.

Exploits result from the behavior of PHP's built-in "phar://" stream wrapper, helping it to deploy sophisticated asset management functions for various different web browsing protocols, investigators said this weekend. Phar archive are usually used to store self-extracting or self-contained apps, said investigators. "This means that when a filename operations attempts to gain control of the archived filenames, they must be deserialized or transformed from simple strings to object, which happensutomatically.

According to the investigators, however, this trial has problems that allow poor performers to remotely execute codes. You can do this by putting a malicious generated data set in the repository, which is desialized and run by the legitimated server processing. "It is a novel, PHP-specific attacking technology that can lead to deserialization in a wide range of exploit scenarios," said Sam Thomas with Secarma in a whitepaper about the assault.

The exploitation of the weak spot is divided into two phases, said investigators. Initially, an attacker would place a legitimate phar array with the load bearing item in the victim's locale filesystem. Then he or she would initiate a triggers on a " phar:// " pathname that relates to the filename. "Any XXE problems whose maximal effects were previously seen as files being disclosed when off-exchange communications were possible must now be seen as possible problems with executing codes, regardless of whether off-exchange communications are possible or not," Thomas said.

In WordPress, an attacker would need permissions to post and change elements of the medium to get enough power over the parameters, said investigators. Tomas said he called WordPress about the problem in February 2017 - but it has not been fixed at the moment of the letter. Besides WordPress, the problem affects several other CMS, such as Typo3, as well as the widely used PDF creation libraries TCPDF.

This kind of insecure, non-secure, unialized process in PHP was discovered earlier - the problem was first introduced by Stefan Essar in 2009, and the subject is tightly related to similar bugs, among them CVE-2017-12934 and CVE-2017-12933). "In recent years, there have also been several weaknesses in virgin coding that implement deserialization and highlight the risks of deserialization by attacker-driven data," said investigators.

Regarding the reduction, the scientists said that it doesn't seem possible to deactivate the Phar expansion via the switch line option in the preferences. But preventing the vulnerability begins with locking attacker-driven information that could cause streaming wrappers: "In order to avoid exploiting this problem, it is essential to avoid using attacker-driven information at the beginning of a filename that is used in one of the filename wrapping actions that can cause streaming wrappers," they said.

Update this August 21 at 16:30 to further explain certain of the privileges an attacker would need to perform a WordPress-based onslaught.

Mehr zum Thema